openstack
/
kuryr-kubernetes
Code Issues Proposed changes

Ensure no sg rule is repeated on the Network Policy CRD 

When a network policy is updated we compare all the existing sg rules
with the current sg rules in order to add/remove rules.
When there are existing rules repeated only the first occurence
of the rule is identified as to be kept, and the second one
is not, causing the rule on the current sg rules to not be created,
as it matches an existent sg rule that was not meant to be kept,
causing a breakage on the update NP CRD which does not allow sg rules
with no ID.

This commit fixes the issue by ensuring that no sg rule is repeated
on the NP CRD.

Closes-bug: 1861624

Change-Id: I5170e0177a87c2dde77f19f6a7ae09ca2a06c65e
This commit is contained in:
Maysa Macedo 2020-01-31 15:48:13 +00:00 committed by Maysa de Macedo Souza
parent 381af76bf8
commit 85e542e7f9
1 changed files with 22 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
kuryr_kubernetes/controller/drivers/network_policy_security_groups.py
View File

@ -192,7 +192,8 @@ def _create_sg_rule_on_text_port(sg_id, direction, port, rule_selected_pods,
pods=pods)
sgr_id = driver_utils.create_security_group_rule(sg_rule)
sg_rule['security_group_rule']['id'] = sgr_id
crd_rules.append(sg_rule)
if sg_rule not in crd_rules:
crd_rules.append(sg_rule)
return matched
@ -222,12 +223,14 @@ def _create_sg_rules(crd, pod, pod_selector, rule_block,
sg_rule = _create_sg_rule(
sg_id, direction, cidr=pod_ip, port=port,
namespace=namespace)
crd_rules.append(sg_rule)
if sg_rule not in crd_rules:
crd_rules.append(sg_rule)
else:
matched = True
sg_rule = _create_sg_rule(
sg_id, direction, cidr=pod_ip, namespace=namespace)
crd_rules.append(sg_rule)
if sg_rule not in crd_rules:
crd_rules.append(sg_rule)
else:
# NOTE (maysams) When a policy with namespaceSelector and text port
# is applied the port on the pods needs to be retrieved.
@ -296,9 +299,11 @@ def _parse_selectors_on_namespace(crd, direction, pod_selector,
LOG.debug("Skipping SG rule creation for pod "
"%s due to no IP assigned", pod_name)
continue
crd_rules.append(_create_sg_rule(
sg_rule = _create_sg_rule(
sg_id, direction, pod_ip, port=port,
namespace=ns_name))
namespace=ns_name)
if sg_rule not in crd_rules:
crd_rules.append(sg_rule)
else:
for pod in pods:
pod_ip = driver_utils.get_pod_ip(pod)
@ -308,9 +313,11 @@ def _parse_selectors_on_namespace(crd, direction, pod_selector,
" to no IP assigned", pod_name)
continue
matched = True
crd_rules.append(_create_sg_rule(
sg_rule = _create_sg_rule(
sg_id, direction, pod_ip,
namespace=ns_name))
namespace=ns_name)
if sg_rule not in crd_rules:
crd_rules.append(sg_rule)
else:
ns_pods = driver_utils.get_pods(ns_selector)
ns_cidr = driver_utils.get_namespace_subnet_cidr(namespace)
@ -323,14 +330,18 @@ def _parse_selectors_on_namespace(crd, direction, pod_selector,
crd_rules, matched, crd))
else:
matched = True
crd_rules.append(_create_sg_rule(
sg_rule = _create_sg_rule(
sg_id, direction, ns_cidr,
port=port, namespace=ns_name))
port=port, namespace=ns_name)
if sg_rule not in crd_rules:
crd_rules.append(sg_rule)
else:
matched = True
crd_rules.append(_create_sg_rule(
sg_rule = _create_sg_rule(
sg_id, direction, ns_cidr,
namespace=ns_name))
namespace=ns_name)
if sg_rule not in crd_rules:
crd_rules.append(sg_rule)
return matched, crd_rules